Automatically unlock other keyring than "Login" on login (not auto-login)

Question

I have two keyrings: "Login" and "Default keyring".

"Login" contains only a few keys, including the unlock password for "Default keyring", and is unlocked automatically on login (which requires a password and is not set to auto-login)

"Default keyring" contains most of my keys. It is not unlocked automatically and needs to be unlocked manually in seahorse after every login. Obviously, unlocking it does not require any password, as the unlock password is automatically unlocked as part of the "Login" keyring.

Now I wonder how to setup an automatic unlock of the "Default Keyring".

Existing topics do not apply:

• Lubuntu 14.04 - unlock keyring on login - libpam-gnome-keyring is installed
• How to disable the "unlock your keyring" popup? - No “unlock your keyring” dialog pops up
• Chrome asks for password to unlock keyring on startup - I don't want to save the keyring unencrypted

(My system specs: Ubuntu 15.10, GNOME Shell 3.18.2, Seahorse 3.16.0)

Answer 1

I did not find a solution for automatically unlocking a keyring other than the "Login"-keyring.

A workaround I came up with requires setting the passwords of both keyrings to blank temporarily, thus having plain-text-access to both files in .local/share/keyrings/ (make sure to make backups).

I manually merged both files into the "Login"-keyring with a text editor, making sure that there are no entries with the same identifier. Then I deleted the "Default keyring"-keyring and finally set the password of the "Login"-keyring back to my login password.

Answer 2

cat ~/.gnome/apps/chrome-*
cat ~/.local/share/applications/chrome-*

For Chrome. Disable the unlock your keyring popup: enter password to unlock your login keyring

rm ~/.gnome/apps/chrome-*
rm ~/.local/share/applications/chrome-*

---

Edit. I was confused because I did not understand the problem. Now I will explain my error and my particular solution.

The files .desktop are the beginning to see what happens.

cat /usr/share/autostart/gnome-* | grep Exec
Exec=/usr/bin/gnome-keyring-daemon --start --components=gpg
Exec=/usr/bin/gnome-keyring-daemon --start --components=pkcs11
Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh

Automatic Unlocking GNOME Keyring supports automatically unlocking keyrings when the user logs into the machine.

Configuring Gnome Keyring's PAM Support This is usually installed by default by a distro or OS distributor. To check if your distro or OS has support for this:

grep -rq pam_gnome_keyring.so /etc/pam.* && echo "Have PAM Support"

To see if a 'login' keyring exists (it's created automatically):

test -f ~/.gnome2/keyrings/login.keyring && echo "Have 'login' keyring"

test -f ~/.local/share/keyrings/login.keyring && echo "Have 'login' keyring"

See pam.d:

ls /etc/pam.d/lightdm*
cat /etc/pam.d/lightdm*

When using GNOME, gnome-keyring is installed automatically as a part of the gnome group.

You can manage the contents of GNOME Keyring using Seahorse. Install it with the package seahorse.

This was my mistake. I was wrong and I put the first solution, believing it worked. But it did not work because what happened was that the keyrings were unlocked and when you open google-chrome with the unlocked the keyrings do not prompt you for the password.

If I unlock the keyrings before I start chrome, then things seem to be okay.

However, if I close chrome and re-lock the keyrings, I'm still back in a bad state.

google-chrome
** Message: Remote error from secret service: org.freedesktop.Secret.Error.IsLocked: Cannot create an item in a locked collection

This answer explains:

Generally, a keyring is a secure password store, that is encrypted with a master password.

Once you input the master password, the keyring gets decrypted and all the passwords inside it are available to the application accessing the keyring.

On Gnome/Ubuntu the seahorse application can be used to look at the keyring and the master password is the same with your user's password so you don't get asked about it anymore.

Most likely your system's keyring password doesn't match your user's password, or the integration is somehow broken.

You can try to cancel it and see if you still have access to your saved website passwords. Most likely you will be asked for the master password again, as soon as you attempt to use a saved password.

My solution for now (I use https://www.passwordstore.org):

google-chrome --password-store=basic

Other info

cat /var/log/auth.log
Dec 25 10:06:30 wicope gnome-keyring-daemon[2415]: keyring alias directory: /home/usuario/.local/share/keyrings

ls -la  ~/.local/share/keyrings/
-rw-------  1 usuario usuario 15928 dic 25 12:04 login.keyring
-rw-------  1 usuario usuario   207 ene 21  2016 user.keystore

Without testing:

• Starting Chrome makes gnome-keyring-daemon loading 100% of a CPU thread for 5 at least mins

• Broken gnome-keyring file and google-chrome hangs

• Ugly fix: remove gnome-keyring execute privilege.
  chmod -x /usr/bin/gnome-keyring-daemon

After this, gnome-keyring-daemon will not make any Chrome issue anymore, but it will not save any system password (google chrome password will be saved and you can use saved one too).